Support

Admin Tools

#27214 Agent and User Data in Logs

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Friday, 31 March 2017 17:17 CDT

meldedchaoz
 I'm trying to look through the logs to determine if there are other agents that I want to block, based on the agents that are attacking my site. To do so, the only way that I can think of is to go through each alert e-mail one-by-one and look at the agent, as I can't find anywhere in the SQL database that has that data. The logs table has the IP of the attack, type, URL, etc....but not the "User" or "Agent" items that also show up often, depending on the attack type. Is the data held elsewhere that I can find?

dlb
In your /logs folder (as defined in the Joomla! Global Configuration screen) you will find the admintools.breeches.log file. That has more detail in it than the Security Exceptions Log does. That should give you the information you need.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

meldedchaoz
So my updated request is: Can you write those log files in a parse-able way (e.g. CSV or XML format)? While this is much better than going through e-mails, it still makes it cumbersome to automate or sort/filter data.

dlb
I had to check with Nicholas on that question, he said:
Not yet, but it's definitely something we plan on researching in the not so distant future.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

meldedchaoz
PowerShell command to parse the logs and just get a list of agent types that aren't Mozilla:
$admintools_logs = Get-Content -Path "D:\logs\admintools_breaches.log"
$agentlist = @()
$admintools_logs | % {
    If ($_ -like "UA        :*") {
        $agent = ($_ -replace "UA        : ","")
        If (($agent -notlike "*Mozilla*") -and ($agent -notlike "")) {$agentlist += $agent}
    }
}
$agentlist | Select-Object -Unique | % {
    $agent_to_find = $_
    Write-Host "Agent: $_"
    Write-Host "    Count: $(($agentlist | Where-Object {$_ -like $agent_to_find} | Measure).count)"
}


Sample output attached.

dlb
You probably already know this, but you have to be careful blocking user agents.
  • Blocking Opera will, of course, block about 1% of your visitors
  • Blocking cURL would probably result in CRON jobs "mysteriously" not working - same for most Joomla extensions which use either cURL directly or through the Joomla! API to load site URLs from the server side.
  • Blocking Ruby shouldn't be that much of a deal, unless you integrate with a third party service written in Ruby (e.g. a payments processing company)

Blocking user agents is something that requires caution and monitoring.


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

meldedchaoz
Hence why I made no reference to blocking all of the agents found, I was just trying to get the data to see if I could identify agents that could be (in this case, Ruby was the only choice). Thanks!

dlb
I just wanted to make sure we're on the same page. :-)


Dale L. Brackin
Support Specialist


us.gifEnglish: native


Please keep in mind my timezone and cultural differences when reading my replies. Thank you!


????
My time zone is EST (UTC -5) (click here to see my current time in Philadelphia, PA)

meldedchaoz
Question: what is the agent "HACKING ATTEMPT DETECTED"? Is that a user-defined agent, or something that AdminTools is generating? Can I add that string to the list, or do agents have to be without spaces in the name?

nicholas
Akeeba Staff
Manager
This is Admin Tools replacing the malicious user agent with an inert string after someone tries to exploit the Christmas 2015 vulnerability in Joomla session handling and Admin Tools blocks them. For what it's worth, the developers of Akeeba Ltd contributed the fix in Joomla which fixed this vulnerability.

You DO NOT need to add anything to your .htaccess list of blocked user agents. Admin Tools is more efficient in protecting you from this class of attacks than the static user agent list you can put in your .htaccess file.

Further to that, please do exercise extreme caution when using a user agent filter policy in your .htaccess. Admin Tools ships with an example that needs to be tailored to your needs. For example, the default list will also block WGet and the most common networkinglibraries for Perl and Delphi / FreePascal from accessing your site. The former will block remote CRON services like WebCRON or even local CRON jobs running through wget. The latter two may block third party services including some payments processing companies. If you were to add cURL to the mix you'd be killing most kinds of remote access to your site and probably some extensions running on your site which require server-side access of a URL on your site and use the Joomla API or cURL directly to do so.

Also remember that the user agent string is free text which can and will be modified to something inconspicuous by any hacker worth his salt. Using a long user agent list won't make your site immune to hackers. Think of it more like face control at the posh night club. If you look like a bum (your user agent is in the naughty list) you get kicked to the curb. If you look rich you'll get in - but nobody actually checks to see if you have any money at all. That's the level of sophistication (or lack thereof) carried by user agent filtering. Don't obsess over it. It's just one small fraction of your overall security policy.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!